Hi,
I've now written down my ideas on how to improve browsers' handling of
the Referer header field:
https://briansmith.org/referrer-01.html
I admit the proposal is quite rough, but I think this proposal does a
decent job of explaining how and why the draft referrer policy
document can be improved, and how and why the CSP referrer directive
should be changed (replaced). A comparison between this proposal and
the current WebAppSec drafts is at the end of the proposal. This
proposal reflects feedback received from Twitter and Facebook from
last year, and from other people in the Mozilla community, from when I
was at Mozilla.
My intent in sharing this proposal here is to initiate discussion
which will (hopefully) lead to the improvements to the Referrer Policy
and CSP 2 drafts that the proposal suggests.
Feedback appreciated.
Cheers,
Brian